Cofense Email Security

Beware: Purchase Order Scam Carries Phishing Link

Phish Found in Environments Protected by SEGs

Microsoft
IronPort

By Kian Mahdavi, Cofense Phishing Defense Center

Notification related purchase order emails have historically been popular with threat actors. Businesses are continually receiving invoices for goods and services that are purchased throughout the year, allowing threat actors to capitalize on this opportunity to harvest recipient credentials.

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign using a newly created domain name to send out mass emails to multiple recipients across a variety of industries.

As we begin to dissect the email, it’s evident there is nothing too complicated for the recipient to grasp. The subject is “Purchase Order”, the top-level domain (TLD) is noreply@h4ppy[.]net and finally, an alias display name is provided.

Phishing Email Body - Example Image

Figure 1 – Email Body

On closer inspection, the “attachment” isn’t what it seems. In fact, it’s an image of the Excel icon and file name with an embedded hyperlink. We assess with moderate confidence that the threat actor made this decision within their phishing kit to slip past the secure email gateway (SEG). We make this assessment based on existing SEGs that apply a range of different technologies to protect organizations by utilizing signature-based detection on attachment names. Furthermore, the word “sepetember” has been misspelled.

Should the recipient still be curious enough to click the embedded link from figure 1, they are redirected to the login page, below, displayed in figure 2. It’s interesting looking at the brand of the login page — “Yahoo.com” has been rendered as “Yanhoo[.]com”. Possibly a mistake in the threat actors phishing kit?

Finally, the “Norton Secure” screenshot has been included below the credentials section, reassuring the recipient that the transaction is ”safe” and “secure”.

Phishing Landing Page - Sample Screenshot

Figure 2 – Phishing Landing Page

Four Factors for Increasing Your Cyber Awareness

1) Fake domains and websites

Threat actors are constantly improving their tactics techniques and procedures (TTPs) with the assistance of easy-to-use website creators; Wix and Google sites are just a two among many. Spoofing techniques are also apparent, not only domains but also email addresses, for the purpose of tricking the user who may not spot the lookalike.

2) Pay attention to the opening of the email

Emails that don’t contain the recipient’s name, or phrases such as “Good Day” or “Dear…” are suspicious. Another suspicious opening phrase such as “Dear example@example[.]com” should also serve as a red flag. Think for a second; would your supplier greet you by your email address or first name?

3) Email message not recognized.

This relates to the first point; one must ask, “Was I expecting this invoice? Was I expecting this purchase order?” There’s a chance there might be some relevance to the recipient, a possibility that plays perfectly toward the confusion that improves the attacker’s chances.

4) Grammatical errors and improper use of English.

Mistakes happen, particularly when we’re hurrying to send that final Friday email. That may not necessarily signal a scam. However, several errors, along with other suspicious attributes, are cause for concern.

Cofense Can Help

Cofense PhishMe offers various simulation templates to condition users on all possible phishing tactics and evolving techniques.

With phishing training, users attain the skills needed to identify phishing attacks. The Cofense Reporter feature forwards threats to the security team or Cofense PDC for analysis. Cofense Triage reduces real-time exposure and can combine with Cofense Vision to quarantine threats.

Cofense Intelligence will precisely protect your organization against evolving threats. Cofense Intelligence customers received additional information about threats in Active Threat Report (ATR) 216163.

Sign up for 3 free months of Cofense Intelligence to proactively defend your organization against similar threats, and learn how you can mitigate attacks that are likely to end up in your inbox.

Indicators of CompromiseIP
hXXps://u22827876[.]ct[.]sendgrid.net/ls/click?upn=-2Bu-2F-2BOd6tXIf7LyRMW98X-2BWowBFm9GLLGnuS3zV302EgMb6Ct5vFgmVm7flUvuNAwTeMLC6-2BOZa9T1i-2F6v-2Biib4-2BF-2BkERwKhOWQgT2BAoh3I-3D_q2Z_JtidMU7Wawf-2BIbv66K-2FlNJjICozsCPJg053jTSnHSOlgsnvrEHbOsZrU3-2BHp3mEIkl-2Bav2IsaX7yyPxlv-2B1MYH3GN984nf4-2F6BOQoYU2bx

167[.]89[.]123[.]122

167[.]89[.]123[.]16

167[.]89[.]118[.]35

167[.]89[.]118[.]28

hXXps://605131[.]selcdn[.]ru/second2g/roman.html92[.]53[.]68[.]204
92[.]53[.]68[.]202
92[.]53[.]68[.]203
92[.]53[.]68[.]205
92[.]53[.]68[.]201

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.